T-Mobile ups number of data-breach victims to 54 million

The exterior of a T-Mobile store on the Las Vegas Strip in Paradise, Nevada.
(Image credit: ehrlif/Shutterstock)

T-Mobile has upped its estimates of how many people were affected by its more recent data breach, adding another 6 million accounts for a new total of 54 million in an updated blog post today (Aug. 20).

If there's any silver lining, none of these new 6 million people had their Social Security numbers stolen, although most did have their names, dates of birth and phone numbers compromised. Those individuals are at slightly lower risk of identity theft than the 48 million whose SSNs and driver's licenses were pilfered.

The less-good news is that about 13 million current T-Mobile customers did indeed have their phone numbers compromised, along with their International Mobile Equipment Identity (IMEI) numbers, which identify handsets, and their International Mobile Subscriber Identity (IMSI) numbers, which identify SIM cards.

Everyone affected by this breach is eligible for two free years of McAfee ID Theft Protection, paid for by T-Mobile. At the moment, pretty much anyone can sign up to try to get that deal, whether you've ever been associated with T-Mobile or not, though there's no guarantee you'll actually qualify.

Meanwhile, the lawsuits have begun. Vice Motherboard reports that a class-action complaint was filed yesterday (Aug. 19) in federal court in Washington state on behalf of four individuals said to be hurt by the T-Mobile data breach. The lawsuit does not specify an amount for an award but does demand a jury trial.

What you need to do

If you've ever had a T-Mobile account, or even just applied for one, you should take up the company on its offer of the free identity monitoring. That's true even if you already have identity theft protection coverage as the result of another data breach or that you pay for yourself.

You also need to change the password and PIN on your T-Mobile account. T-Mo says that only about 900,000 prepaid customers (including, as of today, 52,000 Metro by T-Mobile users) had their PINs and passwords compromised, and that it has already reset the PINs for those customers. 

Possibly as a result, it has also altered the official T-Mobile data breach response page to remove the links to reset your T-Mobile PIN and reset your T-Mobile password, although those pages are still up.

If you're among the 48 million people whose names, addresses, dates of birth and SSNs were stolen, or among the 6 million who had all that stolen except the addresses and SSN, contact one of the Big Three credit-reporting bureaus — Equifax, Experian and TransUnion — to have fraud alerts placed on your credit files. 

The bureau you contact will notify the other two. Here's how to get the fraud alert started.

You should also consider instituting a credit freeze with each of the Big Three. You'll have to contact each one individually, but here's how. Credit freezes can complicate efforts to get a loan or open a new payment account, but you can temporarily "unfreeze" your files for a day or two if necessary.

Who's affected by the T-Mobile data breach and how

Keeping track of all the different groups of people affected by this T-Mobile breach isn't easy, but here's our latest best effort.

  • 7.8 million current T-Mobile customers who have postpaid accounts, the kind for which you get a bill in the mail. Many or most of these people have had their names, dates of birth, Social Security numbers, information from driver's licenses or other forms of ID, phone numbers, IMEIs and IMSIs compromised. Street addresses should also be considered compromised because those are on the driver's licenses. These individuals are at high risk of identity theft.
  • 40 million former T-Mobile postpaid customers and persons who applied for T-Mobile postpaid accounts. Many or most of these people have had their names, dates of birth, Social Security numbers and driver's licenses or other forms of ID compromised. Street addresses should also be considered compromised. These people are also at high risk of identity theft.
  • 5.3 million current T-Mobile customers with postpaid accounts. Many or most of these people have had their names, dates of birth, addresses, phone numbers, IMEIs and IMSIs compromised, but NOT their Social Security numbers or driver's licenses. (Some addresses don't seem to be tied to driver's licenses.) These people are at medium risk of identity theft — the absence of the Social Security numbers lowers the stakes a bit.
  • 667,000 former T-Mobile postpaid customers. Many or most of these people have had their names, dates of birth, addresses and phone numbers compromised, but NOT their Social Security numbers or driver's licenses. These people are at medium risk of identity theft.
  • 850,000 current T-Mobile customers with prepaid/pay-as-you-go customers. These people had their names, phone numbers and account PINs exposed. T-Mobile says it has reset the PINs for all those accounts. These people are at low risk of identity theft.
  • 52,000 current Metro by T-Mobile prepaid customers. These may or may not be part of the 850,000 prepaid accounts already mentioned — T-Mobile is not clear about that. It's implied that these people's names, phone numbers and PINs were compromised.
  • An undetermined number of names, phones numbers and PINs from inactive prepaid accounts.
  • An undetermined number of phone numbers, IMEIs and IMSIs without any names attached.

T-Mobile maintains that no credit-card information or any other type of financial information was compromised in this breach.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.